New Edition of Secure Coding in C and C++ Addresses Code Changes and New Threats

April 11, 2013 • Article

April 11, 2013—To address advances and changes in the C and C++ coding languages, and to address new threats faced by programmers working in these languages, Software Engineering Institute (SEI) researcher Robert C. Seacord has authored Secure Coding in C and C++, Second Edition. Seacord, a senior member of the SEI technical staff and technical manager of the CERT Secure Coding Initiative, also authored the original 2005 edition. The book has been published by Addison-Wesley Professional as part of its SEI Series.

In Secure Coding in C and C++, Second Edition, Seacord identifies the program errors most likely to lead to security breaches, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives. "One of the big changes in the C and C++ languages has been support for multiple threads of execution," said Seacord, "In the long term, this is a good thing. But, in the short term, it brings concurrency class vulnerabilities into both languages." Seacord noted that to address this specific issues he's added a new chapter on concurrency in the new edition.

The new edition takes into account significant security improvements that have emerged in the C and C++ standards since 2005. Seacord cited the example of support for bounds-checking interfaces. "The support for bounds-checking interfaces was introduced in ISO/IEC TR 24731-1:2007," said Seacord. "To address this, we made major revisions and updates to the chapter on strings."

Seacord notes he devoted much effort to aligning the new edition with the standard for C and C++ and to explain the effects of undefined behaviors in these programming languages. "Any new language feature with undefined behaviors is likely more dangerous than most programmers realize," said Seacord. "To make the book more practical, we've eliminated research mitigation strategies in favor of existing solutions."

Citing the need for secure coding standards in the book's foreword, Richard Pethia, director of the SEI's CERT Program noted, "Today, software vulnerabilities are being discovered at the rate of over 4,000 per year. These vulnerabilities are caused by software designs and implementations that do not adequately protect systems and by development practices that do not focus sufficiently on eliminating implementation defects that result in security flaws." Pethia also noted that, while there remains a need for effective, coordinated response to software vulnerabilities, "We must also build more secure systems that are not easily compromised."